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Trojan Horse is a major threat that has grown with the spread of the digital 
world. Data gathered through the study of memory can provide valuable 
insights into the Trojan Horse’s behavior patterns. Because of this, memory 
analysis techniques are one of the topics that should be investigated in 
Trojan Horse detection. This study proposes the use of memory data in 
Trojan Horse detection. Trojan Horse detection used a decision tree (DT) 
classifier with memory data. Experiments were performed on the Trojan 
Horse samples from the CIC-MalMem-2022 dataset. The binary 
classification was made using DT, gradient boosted tree, Naive Bayes (NB), 
linear vector support machine, K-nearest neighbors (KNN), and machine 
learning (ML) classifiers. The comparison of the various classification 
methods was performed utilizing the accuracy, recall, precision, and F1- 
score metrics. As a result, the most successful Trojan Horse detection was 
gained with the DT classifier, which achieved accuracy of 99.96% using 
memory data. The NB classifier showed the lowest achievement in Trojan 
Horse detection using memory data, which achieved accuracy of 98.41%. In 
addition, numerous of the classifiers utilized have attained very high results. 
Based on the achieved results, the data from memory analysis is very 
valuable in detecting Trojan Horse. 
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1. INTRODUCTION 


Cyberthreats encompass nefarious and potentially perilous actions, plans, or occurrences that exploit 
vulnerabilities in digital technologies, networks, and systems. Cybercriminals, hackers, or other malicious 
entities orchestrate and execute these threats to compromise the confidentiality, integrity, availability, or 
overall security of digital assets, data, or business operations [1]. Data breaches, phishing attacks, identity 
theft, and malware infections exemplify the wide array of actions falling under the umbrella of cyber threats 
[2], [3]. Given the swiftly evolving landscape of technology and the digital realm, proactive cybersecurity 
measures are imperative to curbing risks and shielding against potential malware infections. Contemporary 
forms of malware include ransomware, keyloggers, rootkits, and Trojan Horses [4]-[6]. 

Trojan Horse refers to a computer application downloaded and installed on a computer, 
masquerading as harmless but carrying harmful intent. Unanticipated modifications to computer settings and 
unusual activities, particularly during periods of inactivity, indicate the presence of Trojan Horse. These 
deceptive programs are often concealed within seemingly innocuous email attachments or free downloads. 
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Upon opening such attachments or initiating downloads, the embedded malware is introduced to the user’s 
device, enabling the malicious code to execute the attacker’s intended actions [7]-[9]. Incidents involving 
Trojan Horse attacks have emerged as significant cybersecurity risks, inflicting financial losses, and 
operational disruptions on individuals and businesses. In 2022 alone, a staggering 5.5 billion malware attacks 
were documented, with 2.75 billion attributed to Trojan Horse attacks [6]. To safeguard against these threats, 
a comprehensive approach combining preventive measures and proactive security protocols is essential to 
prevent the infiltration of these malicious programs into systems [10], [11]. Given Trojans’ ability to 
deceptively mimic benign software, maintaining vigilance, and adopting necessary precautions are 
paramount. Augmenting defenses against Trojan Horse threats can be accomplished by implementing 
advanced strategies like sandboxing, honeypots, and machine learning (ML) [12]-[14]. 

Harnessing the capabilities of artificial intelligence and data analysis, ML emerges as a potent tool 
to counteract Trojan Horse attacks. This involves detecting and preventing such threats, facilitated by models 
designed to recognize and thwart these insidious infiltrations. ML driven models can identify discernible 
patterns and behaviors linked to Trojan Horses, laying the groundwork for the development of proactive 
security strategies. The utilization of ML in categorizing Trojan Horse necessitates the training of models to 
autonomously distinguish between benign and malicious software. By learning from meticulously labeled 
datasets, ML classifiers discern distinctive patterns and attributes characteristic of Trojan Horse behavior. 
Renowned ML classifiers encompass random forest (RF), logistic regression (LR), support vector machine 
(SVM), Naive Bayes (NB), K-nearest neighbors (KNN), and decision tree (DT) [15]-[20]. Within the 
purview of this article, the DT classifier takes the forefront in identifying Trojan Horse occurrences. 

— Related works 

Kulkarni et al. [21] have introduced a low-overhead online learning hardware solution for 
unforeseen attacks on a specialized many-core architecture. The assumption is that memory and processor 
cores remain secure, with anomalies introduced only through communication exchanges. The training dataset 
is constructed using the effects of Trojan insertions and hardware feature analysis. AVM, KNN, and the 
modified balanced winnow algorithms (MBWA) evaluate the effectiveness of detecting unforeseen attacks. 
To illustrate, a ML model is trained with two types of attacks, and a new attack type is introduced in real- 
time. The MBWA algorithm demonstrates 5% to 8% higher accuracy in detecting attacks compared to SVM 
and K-NN. An Attack Insertion module is implemented to test the design with condition-based attacks. The 
design is fully implemented and routed on the Xilinx Virtex-7 field-programmable gate array (FPGA). Only 
an additional four cycles are required for the proposed system to detect attacks during operation. Compared 
to previously published Trojan detection designs, the proposed approach achieves a 56% reduction in area 
overhead and a 50% decrease in latency. 

Worley and Rahman [22] conducted a quantitative assessment comparing the effectiveness of four 
different supervised ML techniques in classifying integrated circuits based on their ring oscillator network 
frequencies. Remarkably, when utilizing an SVM classifier, this approach achieved 97.6% accuracy in binary 
classification, accompanied by an impressively low false positive rate (FPR) of just 7.1%. Additionally, 
ensemble approaches attained an accuracy of around 88%, demonstrating no instances of false positives. 
However, despite these encouraging findings, supervised learning methods often need to be more feasible in 
real-world supply chain contexts. Identifying validated ‘golden chips’ poses a significant challenge, given the 
near-impossible task of determining compromised chips at the dataset’s assumed scale. 

Xuan et al. [23] have introduced a hybrid semi-supervised classifier designed to achieve precise 
detection and classification accuracy for web Trojans while utilizing a limited amount of labeled data. The 
data utilized in this study is drawn from the web security gateway, primarily due to the greater availability of 
unlabeled data instead of tagged ones. Their approach entails detecting Web Trojans by combining an 
autoencoder with a multi-layer feed forward-back propagation (BP) artificial neural network (ANN). 
Initially, the detection model and the extracted features of the Web Trojan were scrutinized. Subsequently, 
the robustness of feature extraction was enhanced through unsupervised learning using a stacked denoising 
autoencoder. Integrating the BP-supervised ANN allowed for fine-tuning the network structure and optimizing 
the detection model. Compared to the DT and SVM, the proposed approach demonstrated a remarkable 
accuracy of 91.99%, outperforming the 89.32% of DT and the 91.13% of SVM. Hence, the proposed method 
unequivocally showcases superior performance against well-established classification techniques. 


2. METHOD 

This section presents the Obfuscated-MalMem2022 dataset that has been used in this paper. Then, 
the preprocessing operations that have been performed on the used dataset will be discussed. Finally, the DT 
classifier that will be used to detect the attack will be discussed. Figure 1 shows the operations performed to 
detect the Trojan Horse attack using the DT classifier. 
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Figure 1. Trojan Horse attack detection 
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2.1. Obfuscated-MalMem2022 dataset 

The Obfuscated-MAIMem2022 dataset encompasses three primary malware families: spyware, 
ransomware, and Trojan Horse. This study, however, focuses primarily on the Trojan Horse category. 
Consequently, all instances of spyware and ransomware have been excluded, leading to the creation of a 
refined dataset referred to as Trojan-MalMem. This Trojan-MalMem dataset comprises 9487 entries, 
categorized across five distinct types of Trojan Horses: Zeus (1950 records), Emotet (1967 records), Refroso 
(2000 records), Scar (2000 records), and Reconyc (1570 records). The distribution of Trojan Horse types is 
illustrated in Figure 2. Furthermore, the Trojan-MalMem dataset incorporates an additional 29298 entries of 
benign data [24]. 
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Figure 2. Trojan Horse types distribution 
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2.2. Trojan-MalMem preprocessing 

The two primary operations involved in ML data preprocessing encompass data transformation and 
data normalization. Data transformation involves converting and reformatting data into a suitable format, 
including transforming text data into numbers using a technique like label encoding. In label encoding, each 
unique category is assigned a unique integer label. Only the last column in the Trojan-MalMem dataset 
contains text data [14]. As mentioned above, it contains benign, Zeus, Emotet, Refroso, Scar, and Reconyc 
values [24]. Therefore, label encoding is used to transform them into 0, 1, 2, 3, 4, and 5, respectively. As for 
data normalization, it ensures that numerical variables are brought to a similar scale, preventing certain 
features from dominating the learning process. Min-Max scaling (1) is a data normalization method that 
scales the data to a specified range, usually between 0 and 1 [14]. 


x_normalized = (x — min)/(max — min) (1) 


Where x_normalized is the normalized value of the original data point x, x is the original data point, 
min is the minimum value in the dataset, and max is the maximum value in the dataset. The Trojan-MalMem 
dataset contains wide scale of data among features [24]. Therefore, min — max scaling is used to scale this data 
between 0 and 1. Tables 1 and 2 show sample of the Trojan-MalMem dataset before and after normalization, 
respectively. The pre-discussed preprocessing steps, transformation and normalization, collectively serve to 
enhance the quality of the dataset and facilitate the effectiveness of subsequent ML classifiers. 


Table 1. Sample of the Trojan-MalMem dataset before normalization 
Data samples Output 

42, 16, 10.73809524, 0, 209.2142857, 1621, 38.5952381, 8787, 209.2142857 
40, 16, 9.525, 0, 204.175, 1504, 37.6, 8167, 204.175 
42, 16, 10.02380952, 0, 206.2619048, 1610, 38.33333333, 8663, 206.2619048 
44, 17, 9.590909091, 0, 200.7954545, 1674, 38.04545455, 8835, 200.7954545 
45, 17, 10.55555556, 0, 202.8444444, 1694, 38.5, 9129, 212.3023256 
47, 19, 11.53191489, 0, 242.2340426, 2074, 44.12765957, 11385, 242.2340426 
40, 14, 14.725, 0, 288.225, 1932 48.3, 11529, 288.225 


m= m m O OOO 


Table 2. Sample of the Trojan-MalMem dataset after normalization 
Data samples Output 
0.091743119, 0.125, 0.602767848, 0, 0.232847424, 0.307725139, 0.682017433, 0.168570919, 0.076448356 
0.082568807, 0.125, 0.522309316, 0, 0.226113578, 0.257789159, 0.660305073, 0.140899759, 0.068341683 
0.091743119, 0.125, 0.555392853, 0, 0.228902246, 0.303030303, 0.676303654, 0.163036687, 0.071698876 
0.100917431, 0.140625, 0.526680736, 0, 0.221597593, 0.330345711, 0.670023219, 0.170713202, 0.062905026 
0.105504587, 0.140625, 0.590660905, 0, 0.224335597, 0.338881776, 0.679939695, 0.183834687, 0.081416069 
0.114678899, 0.171875, 0.65541793, 0, 0.276970733, 0.501067008, 0.802714106, 0.284522003, 0.129567064 
0.082568807, 0.09375, 0.867199276, 0, 0.338427067, 0.440460948, 0.893738914, 0.290948853, 0.203552475 


© 


=... OOO 


2.3. Trojan Horse malware detection 

The DT classifier is used for Trojan Horse detection. DT is a popular supervised learning classifier 
used for both classification and regression tasks. It is a tree-like structure where each internal node represents 
a decision based on a feature, each branch represents an outcome of that decision, and each leaf node 
represents a class label or a predicted value [14], [25]. Figure 3 clarifies the DT classifier. 

In classification tasks, the DT classifier splits the data based on the features to create hierarchical 
partitions that classify the data into different classes. The classifier selects the best feature to split the data at 
each internal node using various criteria like Gini impurity or entropy, aiming to maximize the purity of each 
partition. The Gini impurity and entropy for a given node is calculated using (3) and (2), respectively [26], [27]: 


Gini impurity = 1 — ¥ p_i"? (2) 

Entropy = — X (p_i * log: (p_i)) (3) 
Where p_i is the proportion of data points belonging to class i in the node. 

The construction and utilization of a DT to detect Trojan Horse involve a series of pivotal 
procedures. Initially, the technique identifies the optimal feature for splitting the Trojan-MalMem dataset into 


subsets at the root node of the DT, guided by factors such as Gini impurity or entropy. This chosen feature 
value lay the foundation for creating these subsets of Trojan-MalMem dataset at internal nodes. 
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Subsequently, the recursive splitting process extends the data partitioning to each subset or child node, 
progressively crafting the hierarchical structure of the tree. The formulation of leaf nodes finalizes the 
recursive sequence, encapsulating the ultimate predictions (Trojan Horse or benign). By selectively removing 
branches or nodes, pruning can be applied to counteract overfitting, enhancing generalization. In the end, the 
DT is used for prediction; unseen data navigate the tree, choosing branches based on feature values until it 
reaches a leaf node, enabling the final prediction of Trojan Horse or benign [25]—[28]. These interdependent 
operations collectively enable the creation of an interpretable decision-making framework, facilitating 
accurate predictions on new Trojan Horse. 


Root 
Node 


Decision Decision 
Node Node 


Decision 
Sub Tree 


Node 


Figure 3. DT classifier 


3. RESULT AND DISCUSSION 

The proposed model was tested on a PC with the following specification: CPU Intel 13 Gen Core 
19-13900F 24-Cores up to 5.6 GHz, memory 32 GB, RGB 3200 MHz DDR4 memory graphic card GeForce 
RTX 4070, ITB M.2 SSD up to 3500 MB/s, and Ubuntu 20.04.4 LTS O.S. The model is trained and 
evaluated 5 times using K-fold cross validation method. Evaluating the proposed model involves utilizing 
various metrics to gauge its performance and effectiveness in making predictions. These metrics provide 
quantitative insights into how well the model is performing on the given dataset. True positive (TP), true 
negative (TN), false positive (FP), and false negative (FN) of the confusion matrix was used derive four 
metrics to evaluate the proposed model. These four metrics are accuracy (4), recall (5), precision (6), and 
Fl-score (7) [14], [25]. 


Accuracy = E (4) 
(TP+TN+FP+FN) 
TP 
Recall = (FP+FN) (5) 
E E > = 
Precision = nn (6) 
F1 — score = 2 x 2" (7) 
Pre+Rec 


Figures 4 to 7 show the accuracy, recall, precision, and Fl-score, respectively, of detecting the 
Trojan Horse when using DT against other common classifiers. DT has achieved the highest value of 99.96% 
with all metrics among all other classifiers. Conversely, the NB classifier registers the lowest scores for 
accuracy (98.41%), precision (97.02%), and F1-score (98.42%) among all the classifiers under consideration. 
Additionally, the linear support vector classifier (SVC) exhibits the lowest recall rate (99.57%) when 
compared to the other classifiers. 
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Figure 4. Accuracy of detecting the Trojan Horse 
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Figure 5. Recall of detecting the Trojan Horse 
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4. CONCLUSION 

As networking and internet technologies continue to advance, Trojan Horse developers have rapidly 
adapted their malicious code, often exploiting vulnerabilities in operating systems. Despite the existence of 
various techniques for detecting Trojan Horses through operating system memory analysis, newly developed 
Trojans continue to evade these methods. In response to this challenge, we propose a Trojan Horse detection 
model that utilizes a DT classifier based on data extracted from system memory. To assess the effectiveness 
of our model, we evaluated it using the Trojan-MalMem dataset. The performance metrics demonstrated that 
all classifiers achieved high accuracy in Trojan Horse classification. Among these classifiers, DT excelled 
with an impressive accuracy, recall, precision, and Fl-score of 99.96%. These results underscore the significant 
contribution of memory analysis data to achieving a high success rate in Trojan Horse detection. It’s worth 
noting that the parameters used in this study and the results obtained are specific to the Trojan-MalMem dataset. 
Different datasets with varying features or classes may yield different results, which is a limitation to 
consider. However, we firmly believe that employing the ML approach holds promise for successful Trojan 
Horse detection. This study lays the foundation for further classification research using ML in-memory 
analysis and Trojan Horse detection. Future studies could explore different hyperparameters, and we intend 
to expand into multiclass classification, considering the six distinct class labels within the Trojan-MalMem 
dataset: Benign, Zeus, Emotet, Refroso, Scar, and Reconyc. 
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